"Researchers said they've uncovered a security vulnerability that could allow attackers to take full control of smartphones running Google's Android mobile operating system." So, how bad is this? Can anybody with knowledge of Android's inner workings explain?

First of all, this is a risk for people installing applications that appear to be from reputable developers but from sketchy app stores. Most in the EU/USA who stick to installing apps from google play are not really in danger of it.

This is a vulnerability in how applications are signed, I think. So a person installing an app could be fooled at a deeper level than before. However, there are already malicious clones of apps out there that fool people that don't make use of this vulnerability. Like the recent Jay-Z app.

No, this is a risk for Google Play - apps, too: it has been shown multiple times that the heuristics that Google uses to detect malign code is easy to fool, so you could make a legitimate app and publish it on Google Play, but add a payload there that adds itself to any and all of your currently-installed applications. Then, even if the user removed the app with the payload the system would still be hosed and the only way to fully remove the payload would be a complete system format and a clean install from a firmware image.

I think it would be pretty difficult to get this on Google play. If I understand it correctly, it allows malicious app devs, to modify existing apps outside of the device while keeping the signature valid.

I don't think Google's malware detection is bad enough to allow me to upload an app signed by rovio.

I also don't think there is a way to infect other apps once on the device. I haven't read anything that says that it could.

Edit:

From the article:

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."